基于DPDK的虚拟化网络入侵防御系统设计与实现  被引量：5

作　　者：刘超玲 张棪[1,2] 杨慧然 吴宏晶 LIU Chaoling;ZHANG Yan;YANG Huiranl,;WU Hongjing(Institute of Information Engineering, Chinese Academy of Sciences, Beijing 100195, China;School of Cyber Security, University of Chinese Academy of Sciences, Beijing 100195, China)

机构地区：[1]中国科学院信息工程研究所,北京100195 [2]中国科学院大学网络空间安全学院,北京100195

出　　处：《信息网络安全》2018年第5期41-51,共11页Netinfo Security

基　　金：国家自然科学基金[61701494]

摘　　要：面对日益严峻的网络安全威胁,NIDS/NIPS成为实现网络安全防护的重要手段。针对现有NIDS/NIPS软件Snort和Iptables数据处理性能的不足,文章提出一种基于DPDK的虚拟化网络入侵防护系统v D-IPS。v D-IPS系统的整体架构,重点设计和实现了基于DPDK零拷贝的入侵检测模块、流量清洗模块。针对多元的攻击环境,设计并实现了模式匹配算法的选择机制。经过实验验证,v D-IPS满足入侵检测、流量清洗的功能需求,v D-IPS接收与检测报文单核比Snort提升约1.64倍,双核提升约2.62倍;v D-IPS转发报文单核比Iptables提升约1.56倍,双核提升约1.89倍,三核提升约2.21倍。与Snort和Iptables相比,v D-IPS在具有相同的入侵检测与防护能力的情况下还具有更优的性能,并且随着核数的增加,v D-IPS性能有进一步的提升。另外,v D-IPS具备模式匹配算法选择功能,对于不同的模式串规模和字符串长度,v D-IPS可以灵活选择对应最优的算法。As the threat of network security, NIDS/NIPS have become an important way to protect network environment. Considering the existing NIDS/NIPS software, such as Snort and Iptables have ineffective data processing performance, this paper propose a DPDK based Virtual NIPS（vD-IPS）.This paper design the overall architecture of the system, highlighting the packet connection and detection module and packet cleaning module. Considering the multiple attack environments, this paper design and implement a mechamsm of pattern matching algorithm selection. After experimental verification, vD-IPS Satisfy the requirements of intrusion detection and packet cleaning. Compare to Snort, the performance of packet connection and detection of vD-IPS with one core increased by 1.64 times and two cores has increased by 2.62 times. Comparing to Iptables, the performance of packet cleaning of vD-IPS with one core has increased by 1.56 times and two cores have increased by 1.89 times and three cores have increased by 2.21 times. In conclusion, vD-IPS performs better with the same abilities of detection and protection comparing to Snort and Iptables. With the increasing numbers of cores, vD-IPS has further improvement of performance, vD-IPS can select different pattern matching algorithm which has the best matching effect according to the character set size and string length of different pattern string.

关 键 词：NIPS DPDK 入侵检测 流量清洗 模式匹配 

分 类 号：TP309[自动化与计算机技术—计算机系统结构]